Apache Tomcat Vulnerability CVE-2024-56337 Poses RCE Risk to Servers

The Apache Software Foundation (ASF) has announced a critical security update for its Tomcat server software, addressing a significant vulnerability that could lead to remote code execution (RCE) under specific conditions. This update highlights vulnerabilities identified as CVE-2024-56337 and CVE-2024-50379, the latter of which has a CVSS score of 9.8, marking it as a severe threat.

Reportedly, the CVE-2024-56337 issue arises from an incomplete remediation of the previously disclosed CVE-2024-50379, which the ASF had initially addressed on December 17, 2024. Business owners utilizing Tomcat should be particularly vigilant, as the vulnerability affects instances running on case-insensitive file systems with certain default servlet settings, potentially exposing systems to RCE risks.

According to ASF advisory, configurations in environments using Java may require special adjustments. Specifically, Tomcat installations with the default servlet writing enabled may necessitate additional configurations to secure against these vulnerabilities. This highlights the importance of conducting regular security audits to ensure all systems meet the latest security standards.

The vulnerabilities share a common characteristic as Time-of-check Time-of-use (TOCTOU) race conditions, presenting risks for users who may inadvertently expose their systems to code execution through improper file handling. Apache further explained that simultaneous reading and uploading of the same file could allow bypassing of case sensitivity checks on Tomcat, rendering uploaded files as JSPs, which poses serious security threats.

Impact assessment indicates that Apache Tomcat versions 11.0.0-M1 to 11.0.1, 10.1.0-M1 to 10.1.33, and 9.0.0.M1 to 9.0.97 are vulnerable to CVE-2024-56337 and require updates to versions 11.0.2, 10.1.34, and 9.0.98 or later, respectively. In addition to updating, users must configure their environments paying close attention to the Java version in use. Java 8 and 11 users should set the system property sun.io.useCanonCaches to false, whereas Java 17 users must confirm this setting is correct. Fortunately, no configuration changes are needed for Java 21 and later as the property has been removed.

The vulnerabilities were identified by security researchers Nacl, WHOAMI, Yemoli, and Ruozhi, with the KnownSec 404 Team also credited for independently reporting CVE-2024-56337, providing proof-of-concept code to illustrate the threat. Companies should take note of these vulnerabilities as they align with ongoing trends of increasing pressure from cyber adversaries targeting enterprise systems.

This alert compounds the urgency of addressing cybersecurity vulnerabilities, particularly as recent disclosures by the Zero Day Initiative (ZDI) reveal another critical vulnerability in Webmin (CVE-2024-12828) that may allow authenticated remote attackers to execute arbitrary code via unvalidated CGI requests. This raises significant concerns for organizations that may rely on these systems, underscoring the importance of maintaining vigilance and resilience against evolving cyber threats.